IDOR leads to Change the password of all users (ATO).

Hi Mates,, I am Akash Patil (@skypatil98) from India . I am in bug bounty field from last 2 years. Today I’m gonna share an interesting Tale of IDOR leads to Change the password of all users (ATO). This is my 1st article so if there is any grammatical mistakes , leave on it. Without wasting any time we will start on article.So let’s get started! 😉

Let’s consider the target as target.com which is an online store management system.I quickly signed up with necessary information and created & Verified both accounts for testing purpose Account 1 (abc@gmail.com) & Account 2 (xyz@gmail.com)

Lets directly come to the point.i visited the forgot password functionality to check how its working.I enter the email Account 1: abc@gmail.com

Click on forgot password and check the email.

Reset password link look like below http://target.com/forgotpswd/SID1001

Reset Password Link

As you can see user-id parameter is disclosed in the reset password link.

Change that parameter value from SID1001 → SID1002 and enter the 2nd Account Email Address. Account 2 (xyz@gmail.com)& click on submit.

P.S : To prove the password is changing or not i created that 2nd account

After submitting time to check the 2nd Account Password Changed or Not

Just type the 2nd account email id and enter the new password which we updated in the above step.

Yeah, just easy account takeovers…!!!wait wait wait ⬇️ read below imp sections too 😉

===

Reproduction steps:

(1) Create two accounts for testing ACCOUNT1 & ACCOUNT2

(2) Request for reset password for ACCOUNT1

(3) After getting the reset password link we can see the SID parameter is disclosing in the link just change the SID Parameter value to 2nd Account. i.e SID1001 → SID1002

(4) Enter the 2nd ACCOUNT email id and new password then Submit the request ( I created 2nd account for testing purpose to prove that passwords are Actually changed successfully or not)

(5) Yeah..we are successfully able to change the password of another users.

===

Takeaway(s):

(i) Now maybe some of you have a question that how I grab the id’s ?
These ids are numeric so there is no special logic behind it we can brute force it.

(ii) Now we change the password but how we can able to log in its still need valid emails which I am not aware of so for that just simply via user enumeration we can identify the valid emails and login into their account :)

(iii) After spending few hours on the target http://target.com/forgotpswd/SID1001 I can see that this endpoint doesn't have a rate limit so we can brute force that particular parameter to change the password of all the users with the same password😂😂.

===

Thanks for reading.If you have any question you can dm me on Twitter 😊

Bug Bounty

Cybersecurity

Security

Ethical Hacking

Hacking

Information Security

Bug Hunting

Idor

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akash Rajendra Patil

Akash Rajendra Patil

#infosec Learner | Information Security Consultant | Bug Hunter